AN0422: Analytic 0422
Forged SAML tokens may be leveraged to access O365 apps such as Outlook or SharePoint. Defenders should monitor for token replay across multiple clients or access attempts to privileged mailboxes without prior interactive login.
Analyst context for executives and security teams
This analytic is about spotting suspicious Microsoft 365 access that may indicate forged SAML token use, especially access to Outlook or SharePoint without the normal interactive sign-in pattern. For leaders, the significance is identity assurance: if cloud application sessions can be trusted without validating abnormal token use, attackers may appear as legitimate users and bypass many perimeter-focused controls.
Executive priority
Prioritize this as an identity and cloud security validation item for Office Suite environments using O365 applications. Executives should ask whether the organization can prove who accessed privileged mailboxes, from which clients, and whether that access followed expected login behavior. This matters for incident response speed, mailbox investigation quality, audit evidence, and confidence in cloud access controls.
Technical view
SOC and detection teams should validate whether they can detect token replay across multiple clients and access attempts to privileged mailboxes without prior interactive login. Because no formal ATT&CK detection logic is supplied, teams should treat AN0422 as a detection objective rather than a ready-made rule. Focus validation on O365 application access patterns for Outlook and SharePoint, session/client consistency, privileged mailbox access, and correlation between interactive sign-in evidence and subsequent application access.
Likely telemetry
- O365 application access logs for Outlook and SharePoint
- Interactive sign-in records associated with the accessing identity
- Mailbox access events, especially for privileged mailboxes
- Client, session, device, and network attributes tied to token use
- Identity provider or cloud authentication logs that can correlate sign-in activity with application access
Detection direction
- Confirm that monitoring can correlate application access with prior interactive login for the same identity.
- Look for token replay indicators across multiple clients, while accounting for legitimate multi-client user behavior.
- Tune privileged mailbox monitoring separately from normal mailbox access because the business risk and response urgency are higher.
- Validate whether logs retain enough client and session context to distinguish expected access from suspicious replay-like patterns.
- Document blind spots where O365 access logs, sign-in logs, or mailbox audit records are missing, delayed, or not centrally correlated.
Mitigation priorities
- Strengthen cloud identity monitoring around O365 access before relying on this analytic for response decisions.
- Ensure privileged mailbox access is explicitly logged, reviewed, and included in incident response playbooks.
- Review identity and access control posture for high-value accounts and mailboxes, including conditional access and session governance where applicable.
- Use tabletop or detection validation exercises to confirm analysts can investigate abnormal mailbox access without assuming the token is legitimate.
- Maintain audit-ready evidence showing how interactive login, application access, and privileged mailbox activity are correlated.
Analyst notes and limits
AN0422 is a detection analytic associated with Office Suite platforms and O365 applications such as Outlook and SharePoint. The supplied ATT&CK content gives a monitoring concept but no detailed detection implementation, tactics, relationships, or linked techniques. Treat it as guidance for coverage validation rather than a complete analytic.
The object has no supplied official detection section, no tactics, and no relationship context. Conclusions about attacker behavior, prevalence, specific products, or guaranteed detection are not supported by the provided fields. Local identity architecture, logging configuration, and mailbox privilege model are required to determine practical coverage.
Analytic 0422
Forged SAML tokens may be leveraged to access O365 apps such as Outlook or SharePoint. Defenders should monitor for token replay across multiple clients or access attempts to privileged mailboxes without prior interactive login.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ecc96129b6df… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0422Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.